[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SPD issues

To: ipsec@lists.tislabs.com
Subject: SPD issues
From: Stephen Kent <kent@bbn.com>
Date: Wed, 24 Sep 2003 18:50:37 -0400
Sender: owner-ipsec@lists.tislabs.com

Folks,

In revising the processing mode, based on feedback from various 
folks, I want to make sure that we have enough functionality, but not 
more than is really needed. In this regard, I want to conduct a quick 
poll.

The topic, in a way, is how many SPDs do we need?  2401 says we have 
an SPD per interface, but maybe that's not enough, or too many, or 
just not the right question to be asking.

So, let's ask the question differently.  What are the inputs needed 
to select the right SPD?
	- In a very simple context it seems we could get away with 
just one SPD, relative to which all traffic is examined.  so any 
answer we choose must yield this answer for the simple cases.

	- In a PPVPN context, having a different SPD per subscriber 
seems to make sense, since the intent it so allow each subscriber to 
define his/her own SPD.  In this case, the SPD could be selected 
based on the source of the (outbound) traffic. You could think of 
this as being per interface, relative to the interfaces via which the 
outbound traffic arrives, but it does not imply a need for different 
SPDs for the interfaces via which inbound traffic arrives, an 
asymmetry.

	- My previous proposal for a revised processing model, from a 
few weeks ago, retained the idea of multiple SPDs, allocating them to 
virtual interfaces, and introduced the notion of a forwarding 
function to select the right virtual interface, and thus SPD.  But, 
unless we feel a need to have different SPDs per interface, this 
seems like overkill. I think we do want to allow forwarding of 
outbound traffic to be independent of SPD selection, so some notion 
of an explicit forwarding function in the model still seems 
appropriate. but, as we discussed the model, there was a suggestion 
that we might need two such functions, one to select an SPD, and then 
one to be applied after IPsec processing. maybe, if we separate SPD 
selection from interface selection we can have two functions but only 
one of them is really for forwarding.

	- Along those lines, we could introduce an SPD selector 
function that, like the forwarding function, can use any info in a 
packet to select an SPD, but without associating the SPD with an 
interface per se.

Comments?

Steve

Follow-Ups:
- Re: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>

Prev by Date: Re: How to reduce number of IPSEC security policies that need to be configured?
Next by Date: RFC 3602 on The AES-CBC Cipher Algorithm and Its Use with IPsec
Prev by thread: Re: How to reduce number of IPSEC security policies that need to be configured?
Next by thread: Re: SPD issues
Index(es):
- Date
- Thread